HIPAA Compliance Strategies

Featured Health Business Daily Story Aug. 14, 2009

CMS’s Summary of Its HIPAA Security Reviews Implies Encryption and Employee Background Checks May Be Required

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The first batch of government reviews of covered entities (CEs) for compliance with the security rule revealed a host of deficiencies, ranging from failure to conduct even an initial risk assessment to inconsistent employee training, according to a summary of findings and recommended corrective actions recently released by CMS.

But what is perhaps most interesting is CMS’s apparent belief, expressed in the report, that encryption is mandatory and its statement that risk assessments should be repeated every three years, at a minimum.

CMS oversees compliance with the security rule, while the HHS Office for Civil Rights enforces the privacy rule. In 2008, the Office of E-Health Standards & Services within CMS began conducting security audits or reviews. CMS’s report, “HIPAA Compliance Review Analysis and Summary of Results,” marked the first time the agency has described findings from the 10 reviews it conducted last year.

John Parmigiani, who authored the first proposed federal electronic health information security rule, tells RPP the report is noteworthy because — unlike previous CMS documents, such as guidance — it contains some very specific recommendations and provides details in some areas where the government has been vague in the past. He is president of John Parmigiani & Associates, LLC, an information security consulting firm in Maryland.

“Overall, the CMS summary is a valuable source of information for all covered entities, as it not only reveals the areas of focus in the compliance reviews, but also gives specific recommendations from CMS for solutions to common compliance issues,” adds Chris Bennington, an attorney in the Cincinnati-Dayton office of Bricker & Eckler LLP, whose practice includes health care data privacy issues. “I would recommend that CEs review the CMS summary closely. By doing so, [a CE] will be better prepared should it ever be the subject of a compliance review.”

CMS has said it will conduct similar reviews this year.

Another reason to pay attention to the report: Although it does not technically have the force of regulations, like guidance, it should be adhered to and generally will provide a safe harbor for CEs that follow the specifications, the security compliance experts tell RPP.

Areas of Noncompliance Identified

CMS said it chose the 10 CEs to review based on “complaints filed against the entities, identification of potential security rule violations through the media, or recommendations from OCR.”

During the reviews, CMS (or its contractors) conducted interviews with individuals at the CEs “to understand the nature of the incident, discuss corrective actions taken since the incident occurred, and identify existing or new processes which protected the confidentiality, availability, and integrity of electronic protected health information (ePHI),” the agency says.

“In addition, CMS examined documented policies and procedures which supported the security of ePHI. For selected key processes, CMS conducted analysis to assess whether the processes were operating effectively and as intended. To maintain visibility of the process, CMS provided regular status reports to the CE throughout the review, and discussed potential gaps in compliance with their representatives.”

CMS concluded that these CEs were “struggling” most with risk assessments; keeping their policies and procedures current; training employees on security compliance; conducting clearance checks on employees; ensuring adequate workstation security; and ensuring encryption is properly employed.

“The two themes that stand out to me in the CMS summary are the importance of well-developed policies and procedures and the obligation of ongoing compliance,” Bennington tells RPP. “Not surprisingly, many of the compliance issues highlighted by CMS focused on the covered entities’ policies and procedures.”

“A covered entity must not simply develop its security rule policies and procedures, put them in an employee handbook, and then never think about them again,” he adds.

The failings uncovered during the audits are “not necessarily too surprising,” says Parmigiani, such as CEs lacking policies or “policies that aren’t mirrors of what is going on at the CE.”

He notes that CMS “harped on a lack of documentation. Maybe CEs were doing what they were supposed to be doing, but they couldn’t put forth evidence to support that.” The lesson here, then, is to not only be in compliance but to be able to prove it; documentation is important, Parmigiani says.

Is Encryption No Longer Optional?

The security rule does not require the use of encryption, stating only that CEs must “implement a mechanism to encrypt and decrypt electronic protected health information.” Yet, the report notes that CMS guidance has been more specific on the issue of encryption, and as CEs know, guidance can have the force of regulation and generally should be followed.

In this vein, the report states that, in December 2006, CMS released guidance on security for remote devices in which the agency broadly recommended that CEs “require that all portable or remote devices that store EPHI employ encryption technologies of the appropriate strength.…Deploy policy to encrypt backup and archival media; ensure that policies direct the use of encryption technologies of the appropriate strength.”

However, the audits revealed this isn’t happening as widely as it should be, and CMS says that should change. “The combination of CMS’s recommendation in the remote use guidance, the increasing number of incidents involving lost portable devices, and the decreasing cost of encryption solutions has resulted in an environment where encryption may not be optional under the mantra of reasonable and appropriate [emphasis added],” the report states.

Reviewers found that encryption was not implemented on all workstations and laptops; was not implemented on the transmission of data that contained ePHI; and that strong encryption was not consistently implemented.

Some of the reviewers said CEs leave encryption of electronic PHI in transit, particularly when e-mailed, up to an “employee’s request,” and CMS noted that “many organizations continued to use legacy transmissions methods for transferring ePHI, such as FTP, which did not include encryption mechanisms.”

The guidance, in Parmigiani’s view, also establishes the use of an encryption as mandatory or at least “as a safe harbor,” which is also new but in line with the request for information HHS issued in April related to breach notification.

Background Checks May Now Be Mandatory

Another problem area, as noted, is “workforce clearance procedures.” The rule requires “appropriate access,” which CMS takes to mean “background investigations on personnel,” for both those with on-site and remote access.

Background investigations on personnel should be conducted before they are given access to electronic PHI, the report states. The audits found CEs sometimes completed such checks after the employee had already been granted such access.

It also states that “reinvestigations” should occur for positions identified as “high-risk,” and posits that these activities should extend to business associates (BAs).

“CEs should require background investigations from vendors and third parties who have access to ePHI. This should be part of the requirements established in business associate agreements with these vendors and third parties,” the report says.

CMS has not provided this level of detail or specification before, Parmigiani says. Some CEs and others “assumed” that background checks were what CMS expected, but it never came out and said so before now.

Specific recommendations also relate to training. Bennington notes that “CMS stressed that [this] is an ongoing obligation. CMS recommended that employees who do not complete their refresher training in a timely fashion should be subject to pre-determined sanctions.”

Adds Parmigiani, “You need to have yearly refresher training,” according to the report. “That [timing] was always kind of in the eyes of the beholder before.”

Many security experts believe the foundation of any security compliance program is a risk assessment. These are being done, according to the report, but not often enough. “Many of the CEs that performed risk assessments conducted those assessments at a point between August 1996, when Congress enacted HIPAA, and the point when the law required CEs to comply with the security rule (either April of 2005 or 2006 depending on the size of the CE),” the report says.

It also notes that these CEs haven’t done an assessment since their initial one, and states that these must be repeated. It recommends a “periodic reassessment” that occurs “at least every three years or whenever there is a significant change in the environment, including, but not limited to:

•  Introduction of new systems;
•  Significant upgrades to existing systems;
•  Retirement or disposal of systems;
•  Physical relocation of IT assets;
•  Introduction of new lines of business; and
•  Reorganization of the CE’s management or business structure.”

The emphasis on doing a risk assessment is welcome, says Parmigiani, who was especially pleased that CMS “finally came out and said” that the initial risk assessments must be repeated, with a specific timetable of at least every three years.

“That is definitely new. They have never said that before. They had always been hesitant before” to establish a time frame, because the security rule always emphasized scalability and the fact that compliance should be customized to the CE, he says. But giving a specific timetable will push more CEs to take this requirement seriously, Parmigiani says.

The document also spells out the components of a risk assessment, which begins with a process to “identify the systems which store, process, or transmit ePHI. CEs must also identify components of the organization which handle ePHI and the physical location of IT assets that contain ePHI,” the report states. Steps to be taken include identifying threats to the system as well as the probability that a “vulnerability will be exploited” and an analysis of “controls that have been implemented or are planned for implementation.”

It also states that a manager within the CE should sign off on the assessment, and that once the assessment (or reassessment) is over, CEs should “identify corrective actions for any weaknesses they identify during the process. These plans should identify steps to mitigate the residual risks identified in the risk assessment.”

iPods, BlackBerries Are Addressed

Beyond the expected advice, the report provides something of an update that recognizes new technologies that weren’t in wide use a few years ago, but are ubiquitous now.

After warning that “CEs should identify requirements for encryption of portable devices and media as necessary” and noting that “if ePHI is stored on USB keys, backup tapes, PDAs, BlackBerries, iPods, or other portable devices, the data on this media should be encrypted,” CMS then says that maybe this ought not to be allowed at all.

“CEs should also consider implementing policies specifically forbidding ePHI on these types of devices,” it says. But the report then adds, “CEs must then consider approaches to prevent this information from moving to these devices. Such a decision will be dependent on the work of the employees, and the need to be able to access data from a portable device, particularly in the clinical arena, given the advent of electronic health records and personal health records which are designed to be accessed from anywhere at any time.”

Workstation security was also found lacking, the report says. “CEs did not have a formalized, documented policy or process for verifying the security of workstations; CEs were not complying with their policies and procedures for securing workstations; and, CEs did not deploy the necessary tools to implement documented policies,” it says.

“Because of the increased use of laptops and other portable devices and the ease with which threat sources can gain access to these devices’ data, preventing these systems from `walking away’ is critical in protecting ePHI,” the report states.

In addition to addressing these deficiencies, CMS says CEs should be conducting “walk-throughs” to identify and correct other site-specific lapses.

Parmigiani points out that, as a result of this year’s HITECH Act, BAs are now responsible for complying with nearly the same requirements as CEs, effective Feb. 18, 2010.

He believes that within a year of that date, CMS will likely start auditing BAs and putting them under a microscope the same way it has with CEs. To prepare, BAs should also review the compliance summary, he says.

“I think if you are a BA, you need be mindful of everything that is required, because I do believe that enforcement is being stepped up,” he warns. “I think we will see an audit of a big BA, maybe a transcription company or a practice management company, so that CMS can show that they are out there” reviewing BAs as well as CEs, he says.

Read the CMS report at www.cms.hhs.gov/Enforcement/Downloads/
HIPAAComplianceReviewSumtopost508.pdf.

Advertise With AIS

Privacy

Site Map